Ever since the FAIR model was selected by The Open Group in 2013 as their standard model for quantifying information risk, risk professionals have been looking for ways to apply it practically. Users cherish the principles upon which FAIR is based:
It’s no surprise then, that some risk analysts instinctively turn to spreadsheets to test the FAIR concepts and conduct basic risk analyses. After all, the FAIR model breaks down the various factors of a risk analysis in such logical and practical terms.
We encountered several analysts who tried to hack their way into developing a spreadsheet-based risk analysis solution that can be used as part of their risk management program. Their assumption was that they might be able to develop a viable and possibly cost-effective alternative to commercially available applications.
Before you go ahead with your own spreadsheet solution for FAIR analysis, consider these three important cautions.
1. Many Have Tried Before without Success
Over the past several years, we’ve had the privilege of working with some of the largest and most influential companies in the world. No surprise that many, including top financial institutions with tremendous resources decided to try this on their own.
Successes have been limited at best and most efforts have been abandoned, once they realized the scope of risk analysis requirements. There was much more at play than just modeling a single analysis with discrete data inputs.
2. Spreadsheets Have Significant Inherent Limitations
You might try to create your own spreadsheet on the tail end of busy workdays. What you will soon discover is that spreadsheets are static and labor-intensive. Turning a general purpose-tool into specialized enterprise cyber risk analysis and quantification solutions is a hugely expensive endeavor:
Also, there are certain objectives you simply cannot achieve. For instance:
3. We’ve Built the Right Tools for You
OK, so you’ve weighed all the pros and cons of a spreadsheet and have still decided to build your own solution to educate yourself on FAIR or do actual risk analyses… STOP. We’ve already done the work for you!
So, whether you are just starting with FAIR, or have enterprise risk analysis needs, consider both FAIR-U or RiskLens, before building your own spreadsheet.
Here is a chart comparing spreadsheet-based approaches to FAIR analyses, to FAIR-U and RiskLens.
Where to Go from Here
Whatever path you decide to take, we’re very glad you have an interest in FAIR. We strongly believe this model will continue to change our profession for the better and help many cyber risk professionals manage cybersecurity from the business perspective.
If you’re interested in learning more about FAIR, the FAIR Institute will be hosting the second annual FAIR Conference in Dallas this October 16-17th, back to back with RSA Charge. This will be a fantastic event and you can still take advantage of discounted pricing if you’re a member of the FAIR Institute.